Reputation: 3
Windows server 22 Powershell Get-EventLog Not Showing "Account Name:" in CSV Export
In the event viewer the field name that I am looking for in the CSV export is "Account Name:" however, this field does not display in the export but does display if the "Result in PowerShell" script is run.
Result in PowerShell:
Get-EventLog -LogName Security| Select-Object -Property * | Select -first 10
CSV Export Script:
Get-EventLog -LogName Security | Select-Object -Property * | Export-Csv -Path C:\Export.csv
What I would like to achieve is pulling a report of user activity on the file share.
Upvotes: 0
Views: 37
Answers (2)
Reputation: 27546
Get-winevent and xml example. It doesn't call it 'account name' in the xml, but the data is the same.
$a = get-winevent @{logname = 'security'} -MaxEvents 1
[xml]$xml = $a.toxml()
$xml.event.eventdata.data
Name #text
---- -----
TargetUserName admin
TargetDomainName COMP
TargetSid S-2-3-22-3961843718-1576926590-2901110931-1101
SubjectUserSid S-2-3-22-3961843718-1576926590-2901110931-1101
SubjectUserName admin
SubjectDomainName COMP
SubjectLogonId 0xc6ff76
CallerProcessId 0x173c
CallerProcessName C:\Windows\explorer.exe
Upvotes: 0
Reputation: 30218
Apply calculated properties:
Several PowerShell cmdlets transform, group, or process input objects into output objects using parameters that allow the addition of new properties to those output objects. You can use these parameters to generate new, calculated properties on output objects based on the values of input objects. The calculated property is defined by a hashtable containing key-value pairs that specify the name of the new property, an expression to calculate the value, and optional formatting information.
In particular, you can use calculated properties to add additional members to the objects output with the Select-Object cmdlet, e.g. as follows:
#Requires -RunAsAdministrator
Get-EventLog -LogName Security |
Select-Object -Property @{
name = 'Account Name'; # or 'AccountName' with no space
expr = {($_.Message -split [System.Environment]::NewLine |
Select-String 'Account Name:' -SimpleMatch |
Select-Object -ExpandProperty Line
).Split( ':').Trim()[-1]
} }, * |
Select-Object -First 2 # optional to reduce output
However, some output fields (e.g. Data or ReplacementStrings) Export-Csv shows as System.Byte[], System.String[], or even System.Object[] etc. See this article :Avoiding System.Object[] (or Similar Output) when using Export-Csv…
Upvotes: 0
Related Questions
- PowerShell - AzureAD Report SAM Account Name Pull
- How do I get the current username in Windows PowerShell?
- How to export specific fields of powershell output to csv?
- Powershell match export-csv with format shown in Windows Powershell ISE
- From PowerShell Get Refresh History In Group from Power BI REST APIs and export do CSV
- Import a CSV Find an AD account by EmployeeID attribute and export to a CSV
- Powershell script that imports from CSV, checks AD account status, then exports to CSV
- Export Matches array object to CSV in Powershell